Zenoss ZenTech Community

I'm trying to work through on of Jane's papers on Event mapping but have a problem where incoming events from the server i'm monitoring is being interpreted incorrectly.

JAN 19 10:55:27: alert : 1/a/1074: clitask1: User admin@192.168.99.10 logged in on slot a

As you can see for some reason the original time the event occurred on the server is being displayed under "Component".

Subject:	I am guessing that this is a
Author:	Jane Curry
Posted:	2014-01-20 12:12

I am guessing that this is a message from syslog originally Check the Agent field of the event and see if it is zensyslog.

One of the unfortunate things about syslog is that there are lots of different "standards" about the format of a syslog message. What sort of device does this message originate from

If you have my "Event Management for Zenoss Core 4" paper then have a look on page 43, figure 19, that tries to explain how SyslogProcessing.py tries to decode the incoming native syslog event. Basically there are a bunch of regular expresions that match the various known syslog formats. Your SyslogProcessing.py may be slightly different as Zenoss tends to update this file with extra regular expressions as problems like yours are reported back to them.

You need to create am an entry in SyslogProcessing.py that matches your original syslog message and parses things out into their correct components. Make sure you backup that file before editing it. You might use a Python Regex tool to help you - I use http://www.pythonregex.com/ .

Once you have a regex that works, you will need to stop and start zenhyb, zopectl and zensyslog.

Cheers,

Jane

Email: jane.curry@skills-1st.co.uk Web: https://www.skills-1st.co.uk

Subject:	Question on how zenoss handles incoming events(Zenoss on Ubuntu)
Author:	[Not Specified]
Posted:	2014-01-19 03:25

Question on how zenoss handles incoming events(Zenoss on Ubuntu)